From 1ce70d911f4d7d9a9eb46e179a0681934b91e272 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?c=C4=83t=C4=83lin?= <catalin@roboces.dev>
Date: Wed, 28 Jan 2026 10:17:13 +0100
Subject: [PATCH] feat: add ganymede

---
 docker/ganymede/docker-compose.yml | 48 ++++++++++++++++++++++++++++++
 docker/ganymede/sample.env         | 27 +++++++++++++++++
 tofu/authentik/main.tf             | 23 ++++++++++++++
 tofu/authentik/sample.env          |  2 ++
 tofu/authentik/vars.tf             | 10 +++++++
 5 files changed, 110 insertions(+)
 create mode 100644 docker/ganymede/docker-compose.yml
 create mode 100644 docker/ganymede/sample.env

diff --git a/docker/ganymede/docker-compose.yml b/docker/ganymede/docker-compose.yml
new file mode 100644
index 0000000..7ba5213
--- /dev/null
+++ b/docker/ganymede/docker-compose.yml
@@ -0,0 +1,48 @@
+---
+services:
+  ganymede:
+    container_name: ganymede
+    image: ghcr.io/zibbp/ganymede:4.11.3
+    restart: unless-stopped
+    environment:
+      DEBUG: ${GANYMEDE_DEBUG:-false}
+      TZ: ${GANYMEDE_TZ:-Europe/Madrid}
+      VIDEOS_DIR: ${GANYMEDE_VIDEOS_DIR:-/data/videos}
+      TEMP_DIR: ${GANYMEDE_TEMP_DIR:-/data/temp}
+      LOGS_DIR: ${GANYMEDE_LOGS_DIR:-/data/logs}
+      CONFIG_DIR: ${GANYMEDE_CONFIG_DIR:-/data/config}
+      DB_HOST: ${GANYMEDE_DB_HOST:-192.168.1.3}
+      DB_PORT: ${GANYMEDE_DB_PORT:-5432}
+      DB_USER: ${GANYMEDE_DB_USER:-ganymede}
+      DB_PASS: ${GANYMEDE_DB_PASS}
+      DB_NAME: ${GANYMEDE_DB_NAME:-ganymede}
+      DB_SSL: ${GANYMEDE_DB_SSL:-disable}
+      TWITCH_CLIENT_ID: ${GANYMEDE_TWITCH_CLIENT_ID}
+      TWITCH_CLIENT_SECRET: ${GANYMEDE_TWITCH_CLIENT_SECRET}
+      MAX_CHAT_DOWNLOAD_EXECUTIONS: ${GANYMEDE_MAX_CHAT_DOWNLOAD_EXECUTIONS:-3}
+      MAX_CHAT_RENDER_EXECUTIONS: ${GANYMEDE_MAX_CHAT_RENDER_EXECUTIONS:-2}
+      MAX_VIDEO_DOWNLOAD_EXECUTIONS: ${GANYMEDE_MAX_VIDEO_DOWNLOAD_EXECUTIONS:-2}
+      MAX_VIDEO_CONVERT_EXECUTIONS: ${GANYMEDE_MAX_VIDEO_CONVERT_EXECUTIONS:-3}
+      MAX_VIDEO_SPRITE_THUMBNAIL_EXECUTIONS: ${GANYMEDE_MAX_VIDEO_SPRITE_THUMBNAIL_EXECUTIONS:-2}
+      OAUTH_ENABLED: ${GANYMEDE_OAUTH_ENABLED:-true}
+      OAUTH_PROVIDER_URL: ${GANYMEDE_OAUTH_PROVIDER_URL:-https://auth.fukurokuju.dev/application/o/ganymede/}
+      OAUTH_CLIENT_ID: ${GANYMEDE_OAUTH_CLIENT_ID}
+      OAUTH_CLIENT_SECRET: ${GANYMEDE_OAUTH_CLIENT_SECRET}
+      OAUTH_REDIRECT_URL: ${GANYMEDE_OAUTH_REDIRECT_URL:-https://vods.roboces.dev/api/v1/auth/oauth/callback}
+      SHOW_SSO_LOGIN_BUTTON: ${GANYMEDE_SHOW_SSO_LOGIN_BUTTON:-true}
+      FORCE_SSO_AUTH: ${GANYMEDE_FORCE_SSO_AUTH:-true}
+      REQUIRE_LOGIN: ${GANYMEDE_REQUIRE_LOGIN:-true}
+    volumes:
+      - ${GANYMEDE_VIDEOS:-/mnt/vods/ganymede/videos}:/data/videos
+      - ${GANYMEDE_TEMP:-/mnt/vods/ganymede/temp}:/data/temp
+      - ${GANYMEDE_CACHE:-/mnt/vods/ganymede/cache}:/data/.cache
+      - ${GANYMEDE_LOGS:-/mnt/vods/ganymede/logs}:/data/logs
+      - ${GANYMEDE_CONFIG:-/mnt/vods/ganymede/config}:/data/config
+    ports:
+      - "4800:4000"
+    healthcheck:
+      test: curl --fail http://localhost:4000/health || exit 1
+      interval: 60s
+      retries: 5
+      start_period: 60s
+      timeout: 10s
diff --git a/docker/ganymede/sample.env b/docker/ganymede/sample.env
new file mode 100644
index 0000000..5b2205b
--- /dev/null
+++ b/docker/ganymede/sample.env
@@ -0,0 +1,27 @@
+GANYMEDE_DEBUG=false
+GANYMEDE_TZ=Europe/Madrid
+GANYMEDE_VIDEOS_DIR=/data/videos
+GANYMEDE_TEMP_DIR=/data/temp
+GANYMEDE_LOGS_DIR=/data/logs
+GANYMEDE_CONFIG_DIR=/data/config
+GANYMEDE_DB_HOST=192.168.1.3
+GANYMEDE_DB_PORT=5432
+GANYMEDE_DB_USER=ganymede
+GANYMEDE_DB_PASS=
+GANYMEDE_DB_NAME=ganymede
+GANYMEDE_DB_SSL=disable
+GANYMEDE_TWITCH_CLIENT_ID=
+GANYMEDE_TWITCH_CLIENT_SECRET=
+GANYMEDE_MAX_CHAT_DOWNLOAD_EXECUTIONS=3
+GANYMEDE_MAX_CHAT_RENDER_EXECUTIONS=2
+GANYMEDE_MAX_VIDEO_DOWNLOAD_EXECUTIONS=2
+GANYMEDE_MAX_VIDEO_CONVERT_EXECUTIONS=3
+GANYMEDE_MAX_VIDEO_SPRITE_THUMBNAIL_EXECUTIONS=2
+GANYMEDE_OAUTH_ENABLED=true
+GANYMEDE_OAUTH_PROVIDER_URL=https://auth.fukurokuju.dev/application/o/ganymede/
+GANYMEDE_OAUTH_CLIENT_ID=
+GANYMEDE_OAUTH_CLIENT_SECRET=
+GANYMEDE_OAUTH_REDIRECT_URL=https://vods.roboces.dev/api/v1/auth/oauth/callback
+GANYMEDE_SHOW_SSO_LOGIN_BUTTON=true
+GANYMEDE_FORCE_SSO_AUTH=false
+GANYMEDE_REQUIRE_LOGIN=false
diff --git a/tofu/authentik/main.tf b/tofu/authentik/main.tf
index 7d43f4f..42c0582 100644
--- a/tofu/authentik/main.tf
+++ b/tofu/authentik/main.tf
@@ -22,6 +22,11 @@ resource "authentik_group" "ci" {
   users = [data.authentik_user.catalin.id]
 }
 
+resource "authentik_group" "vods" {
+  name  = "vods"
+  users = [data.authentik_user.catalin.id]
+}
+
 resource "authentik_group" "admins" {
   name         = "authentik Admins"
   is_superuser = true
@@ -204,6 +209,8 @@ module "rustical" {
   source              = "../modules/authentik-oidc"
   app_name            = "rustical"
   app_slug            = "rustical"
+  app_url             = "https://cal.roboces.dev"
+  app_icon            = "https://cal.roboces.dev/favicon.ico"
   client_id           = var.rustical_client_id
   client_secret       = var.rustical_client_secret
   redirect_uris       = [{ matching_mode = "strict", url = "https://cal.roboces.dev/frontend/login/oidc/callback" }]
@@ -216,6 +223,8 @@ module "jellyfin" {
   app_slug            = "jellyfin"
   base_dn             = "DC=ldap,DC=fukurokuju,DC=dev"
   name                = "jellyfin"
+  app_url             = "https://jelly.roboces.dev"
+  app_icon            = "https://jelly.roboces.dev/favicon.ico"
   app_access_group_id = authentik_group.arrs.id
 }
 
@@ -224,7 +233,21 @@ module "tandoor" {
   app_name            = "Tandoor"
   app_slug            = "tandoor"
   app_access_group_id = ""
+  app_url             = "https://recipes.roboces.dev"
   redirect_uris       = [{ matching_mode = "strict", url = "https://recipes.roboces.dev/accounts/oidc/authentik/login/callback/" }]
+  app_icon            = "https://recipes.roboces.dev/favicon.icon"
   client_id           = var.tandoor_client_id
   client_secret       = var.tandoor_client_secret
 }
+
+module "ganymede" {
+  source              = "../modules/authentik-oidc"
+  app_name            = "Ganymede"
+  app_slug            = "ganymede"
+  redirect_uris       = [{ matching_mode = "strict", url = "https://vods.roboces.dev/api/v1/auth/oauth/callback" }]
+  client_id           = var.ganymede_client_id
+  client_secret       = var.ganymede_client_secret
+  app_url             = "https://vods.roboces.dev"
+  app_icon            = "https://vods.roboces.dev/favicon.ico"
+  app_access_group_id = authentik_group.vods.id
+}
diff --git a/tofu/authentik/sample.env b/tofu/authentik/sample.env
index 3887146..d7e4361 100644
--- a/tofu/authentik/sample.env
+++ b/tofu/authentik/sample.env
@@ -14,3 +14,5 @@ TF_VAR_rustical_client_id=
 TF_VAR_rustical_client_secret=
 TF_VAR_tandoor_client_id=
 TF_VAR_tandoor_client_secret=
+TF_VAR_ganymede_client_id=
+TF_VAR_ganymede_client_secret=
diff --git a/tofu/authentik/vars.tf b/tofu/authentik/vars.tf
index 30ec835..f85bfe7 100644
--- a/tofu/authentik/vars.tf
+++ b/tofu/authentik/vars.tf
@@ -68,3 +68,13 @@ variable "tandoor_client_secret" {
   description = "Tandoor client secret"
   type        = string
 }
+
+variable "ganymede_client_id" {
+  description = "Ganymede client ID"
+  type        = string
+}
+
+variable "ganymede_client_secret" {
+  description = "Ganymede client secret"
+  type        = string
+}